Site Navigation

Date:      Fri, 19 Mar 1999 16:45:17 -0600
From:      Guy Helmer <ghelmer@scl.ameslab.gov>
To:        Jeff Yeo <Jeff_Yeo@pml.com>
Cc:        "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org>
Subject:   Re: ipfw rule blocking connection
Message-ID:  <Pine.SGI.4.05.9903191634280.5589-100000@demios.scl.ameslab.gov>
In-Reply-To: <8E6C9AEA17A8D2118D6E00A0C99869402AF48A@HERMES.pml.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Fri, 19 Mar 1999, Jeff Yeo wrote:

> I'm running FreeBSD 2.2.8-RELEASE as a firwall using ipfw
> and natd and /etc/rc.firewall as a starting point.  I'm using
> 192.168.1.0/24 on the internal network, and an Internet 
> IP address on the external interface.  Using ipfw show, I've 
> noticed that the following rule is blocking replies from the 
> external interface:
> 
> ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

I changed the "stop RFC1918 nets on outside interface" rules to
on my natd firewall to:

ipfw add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
ipfw add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
ipfw add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
ipfw add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
ipfw add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
ipfw add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}


> I'm assuming that natd changes the destination address on the 
> packet and reinjects it into the packet stream.  When it hits the
> above rule, it appears that there has been a packet received on 
> ${oif} with a destination of 192.168.1.x and the packet is dropped.
> Is this correct?

Yes.  The changed rules should do the right thing -- they have trapped
incoming packets with a source address of 192.168.x.x on my firewall but
otherwise allow correct operation with natd.

Guy

Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science 
Research Assistant, Ames Laboratory       ---         ghelmer@scl.ameslab.gov
Research Assistant, Dept. of Computer Science   ---   ghelmer@cs.iastate.edu
http://www.cs.iastate.edu/~ghelmer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.05.9903191634280.5589-100000>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact